Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
XSS Protection API 2.0.8
-
None
Description
URL query parameter values are double-escaped for cases where namespace mangling has to be performed:
xssAPI.getValidHref("/path/to/page?key=%25text"); // -> /path/to/page?key=%25text (which is correct) xssAPI.getValidHref("/path/to/page/jcr:content/par?key=%25text"); // -> /path/to/page/_jcr_content/par?key=%2525text (which is wrong)
Fixed in commit 9927ab0.